Debugging LDAP/AD Authentication

LDAP/AD authentication is complex to configure, and a lot can go wrong. The purpose of this article is to help you determine what's going wrong and fix it. You should also refer to the LDAP Authentication Flow Chart in the cdaily-x.x.x/WEB-INF/misc/security directory.

If the error indicates the issue is in the SSL certificate, follow these steps to debug SSL:

Debugging SSL

If it's not working, first try disabling SSL by editing the LDAP.properties file. Once you have authentication working without SSL, re-enable SSL and follow these steps: To debug the SSL connection sequence, define

This will send debug information to stdout or in the default installation, the catalina.out file. You should see the certificate exchange and certificate details. Make sure the matching certificate is in the keystore.

If you see a disconnect before the exchange of the certificate from the server, refer to MS KB Article 321051. This article contains information even if you are not using a 3rd party SSL certificate.

http://support.microsoft.com/kb/321051

If the error is not in the SSL communications, look for these things.

Verify the lookup account is working.

Verify the account exists within the specified tree.

Check the default context name and verify the user exists within that context or a container under it.

For additional information, refer to the LDAP Authentication Flow Chart contained in the cdaily-x.x.x/WEB-INF/misc/security directory.